Method and System for Mitigation of Distributed Denial of Service (ddos) Attacks

1. A system for mitigating malicious email traffic, comprising: a protected server within a domain or protected email server that receives network traffic, including email traffic; at least one Authoritative Domain Name System (DNS) server of the domain; at least one DNS Traffic Analyzer and Firewall (DTAF), wherein network traffic must pass through the at least one DTAF Firewall before accessing the at least one Authoritative DNS server, and wherein the at least one DTAF Firewall analyzes and collects data from the email traffic attempting to pass through the at least one DTAF Firewall to a protected server; and a Central Master DTAF, wherein the at least one DTAF Firewall sends email traffic data to the Central Master DTAF, and wherein the Central Master DTAF sends at least one access control list to the at least one DTAF Firewall.

2. The system of claim 1 , wherein network traffic must also pass through the at least one DTAF Firewall before accessing the protected server.

3. The system of claim 1 , wherein network traffic must also pass through the at least one DTAF Firewall before accessing public DNS servers.

4. The system of claim 1 , wherein the at least one Authoritative DNS Server send network traffic data to the Central Master DTAF.

5. The system of claim 1 , wherein the access control list(s) include information related to a specific DNS Server and wherein the at least one DTAF Firewall is capable of controlling or analyzing traffic originating from the specific DNS Server.

6. The system of claim 1 , further comprising a domain shifting subsystem, wherein the domain shifting subsystem creates at least one New Authoritative DNS server and reroutes at least some network traffic to the at least one New Authoritative DNS server.

7. The system of claim 6 , wherein the domain shifting subsystem rotates the at least one New Authoritative DNS Server on a regular basis.

8. The system of claim 6 , wherein the at least one New Authoritative DNS server process new network traffic.

9. The system of claim 1 , wherein the access control list contains a list of denied IP addresses that are prohibited from passing through to the protected system and allowed IP addresses that are allowed to pass through to the protected system, wherein such allowed and denied IP addresses are based not only upon source address of the attack traffic, but also IP addresses belonging to public and private DNS servers and DNS resolvers identified as relied upon by the attacker(s) to find the target protected system, such identification done via an analysis of network traffic at the attack target as well and at distributed DTAF systems that are not under attack, such as public Internet Service Provider (ISP) DNS servers.

10. The system of claim 9 , wherein the IP addresses belonging to public and private DNS servers and DNS resolvers identified as relied upon by the attacker(s) to find the target protected system, are identified by a reverse lookup of the source IP address to determine the owner (ISP) of the IP address and network subnet of the source IP address; wherein, the ISP and source subnet information is used to lookup the default DNS servers assigned to the source IP by the ISP from an internal maintained database; and wherein the detection of the use of non-default DNS servers by the attacker(s), such as open public DNS servers, an analysis of attack traffic, current authoritative DNS values and log files, and DTAF change history, is used to determine the non-default DNS server(s) used by that attacker.

11. The system of claim 1 , wherein the access control list contains a list of denied IP addresses that are prohibited from passing through to the protected system and allowed IP addresses that are allowed to pass through to the protected system, wherein such allowed and denied IP addresses are based not only upon source address of the attack traffic, but also IP addresses belonging to public and private EMAIL SERVERS and EMAIL RELAY SERVERS identified as used by the EMAIL attacker(s) to find the target protected system or related mail exchange (MX) servers, such identification done via an analysis of network traffic at the attack target, attack target EMAIL server, as well and at distributed DTAF systems that are not under attack, such as public Internet Service Provider (ISP) DNS servers.

12. The system of claim 1 , wherein the access control list contains a list of restricted IP addresses that are dynamically and selectively allowed to pass through to the protected system based upon list of allowed or disallowed query type, wherein such allowed and denied IP addresses are based not only upon source address of the attack traffic, but also IP addresses belonging to public and private EMAIL SERVERS and EMAIL RELAY SERVERS identified as used by the EMAIL attacker(s) to find the target protected system or related mail exchange (MX) servers, such identification done via an analysis of network traffic at the attack target, attack target EMAIL server, as well and at distributed DTAF systems that are not under attack, such as public Internet Service Provider (ISP) DNS servers.

13. A method for mitigating malicious network traffic, comprising the following steps: analyzing network traffic intended for at least one Authoritative Domain Name System (DNS) server or email server; generating network traffic and email relay data; sending the network traffic and email relay data to a Central Master DTAF central system; receiving an access control list from the Central Master DTAF central system; and updating firewall parameters based upon the received access control list: creating at least one New Authoritative DNS server; and routing at least some of the network traffic to the at least one New Authoritative DNS server.

14. The method of claim 13 , further comprising the following step: rotating the Authoritative DNS servers on a regular basis.

15. The method of claim 13 , further comprising the following steps: generating an access control list of denied IP addresses; and denying access to the protected server for an IP address on the access control list.